In this article I want to share a method to use your SSH keypair to encrypt messages. We are going to use age in Ubuntu 24.04.
The installation guide can be found in the official repo.
Before we start with usage, let me share some limitations. Not all SSH key types are suited for encryption - even tho there seem to be workarounds. In a Github comment it was mentioned by 'str4d' that sk-* SSH keys won't work as they only provide support for authentication.
The same seems to be the case for ECDSA (Elliptic Curve Digital Signature Algorithm) SSH keys as I got the following error message while testing:
age: warning: recipients file "./age-testing.pub": ignoring unsupported SSH key of type "ecdsa-sha2-nistp521" at line 1
In this article I'll be working with EdDSA-ed25519 and RSA SSH keys.
# RSA (Rivest–Shamir–Adleman):
ssh-keygen -t rsa -b 4096 -f ~/.ssh/nameofthekey
# EdDSA ed25519:
ssh-keygen -t ed25519 -f ~/.ssh/nameofthekey
Additionally, the ssh-agent is not supported.
Common use cases are to encrypt data to allow you to store ore transfer it securly in an untrusted or unknwon environment. You can make sure that only recipients with the right private key can decrypt the files, messages, or whatever.
Used version:
age --version
1.1.1
Encryption of a simple string with SSH public key:
echo "Cheers" | age -R ~/.ssh/id_ssh.pub > cheers.txt
Encrypted content:
cat cheers.txt
age-encryption.org/v1
-> ssh-ed25519 7uu5gg 4ivp9LPXTVu6ryrhuSskhL5A3RuQWL8XAg5mxbx6v0s
kGJzFPj2TiwrvrWmVonCsGcWeYmQ7qsV5WXNrf6c0H0
--- Rr+SI6g+73XM6R3CTa7WVp4eEDBgdmZMlsjhHihwjz4
Decrypt file with SSH private key:
cat cheers.txt | age -d -i ~/.ssh/id_ssh
Cheers
To encrypt files, we build upon the example from the official documentation:
tar cvz ./data | age -R ~/.ssh/id_ssh.pub | base64 > data.tar.gz.age
./data/
./data/random-video.mp4
Remove the source files:
rm -r ./data
Decrypt files:
cat data.tar.gz.age | base64 --decode | age -d -i ~/.ssh/id_ssh | tar xzv
./data/
./data/random-video.mp4
Side Note: I'll use base64 encoding to make it more compatible with more services as some tools might not like the binary encoding.
Addition: Instead of the base64 encoding, you could use a, --armor to have a more compatible format like this:
# Encryption
tar cvz ./data | age -a -R ~/.ssh/id_ssh.pub > data.tar.gz.armor.age
# Format
head -5 data.tar.gz.armor.age
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd1dTVnZyBjL0Zo
eTJUWDdDR0YzdzdjdDJEZjVxV0NRS1kxMlJWZEt5Y1hONGp4OHljCmJCdjBrUWlZ
QitTcC9Na1BDV2NCbHJsSlhaVHRJMElJMkJxUVdSd3ZFRjAKLS0tIGdSRHJFRVBV
NkFFbjNTbStBLzg0THJCM0lCMHdKbzhvRS9YemhISlRUY0kKK7Cxnu172NVbpBaa
# Decryption
cat data.tar.gz.armor.age | age -d -i ~/.ssh/id_ssh | tar xzv
Thank you technomancy for pointing it out!
There a multiple CLI paste service that allow you to share configs, error messages, and so on. Examples are 0x0.st or linedump.com.
Encrypting the payload makes sure that nobody else can read the content.
Upload
echo "Cheers" | age -R ~/.ssh/id_ssh.pub | base64 | curl -X POST --data-binary @- https://linedump.comage -R ~/.ssh/id_ssh.pub -o - file.txt | base64 | curl -X POST --data-binary @- https://linedump.comip -br a | age -R ~/.ssh/id_ssh.pub | base64 | curl -X POST --data-binary @- https://linedump.comDownload
curl -s https://linedump.com/{paste_id} | base64 -d | age -d -i ~/.ssh/id_ssh > output3.txtSide Notes: A disclaimer: Linedump is a project of mine which was one reason to look into the encryption with SSH keypairs for some automation.
age allows you to encrypt for multiple recipients which can decrypt it individually, which is great for a team or some automation and syncing.
Simply use multiple -r/--recipient flags - which requires the public key in the command or simply add the public keys to a file and use -R - one key per line.
Official documentation:
cat recipients.txt
# Alice
age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
# Bob
age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg
age -R recipients.txt example.jpg > example.jpg.age
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。